Apple HomePod Has a Privacy Flaw That No One is Talking About

Apple HomePod had its official launch date Friday and Apple is stressing sound quality. It is not emphasizing the Siri voice assistant because it does not currently compare well to Amazon Alexa and Google Assistant. And, Apple is not emphasizing privacy and security when it comes to HomePod unlike its positioning of the iPhone. A good reason for that is a HomePod privacy flaw first reported by Nilay Patel from The Verge.

“And, in the worst omission, Siri on the HomePod doesn’t recognize different voices. This doesn’t sound like a big deal, but if you just click yes during all the setup prompts, literally anyone can ask the HomePod to send or read your text messages. Seriously, it’ll just read your texts to anyone if your phone is anywhere on the same Wi-Fi network, which usually reaches far beyond the same room as the HomePod. If your HomePod is in the kitchen and you’re in the basement, anyone can just roll up on the HomePod and have it read your texts. If you have kids, they can just text anyone at will while you’re in the bathroom and you can’t stop it.”

This is basic security and personal privacy. It is great when you can access personal information like text messages and your calendar hands free without having your phone next to you. However, smart speakers are communal devices. This convenience turns into an issue when any guest in your home has the same data and app access that you do.

If you just click yes during all the setup prompts, literally anyone can ask the HomePod to send or read your text messages. – Nilay Patel

Google Home Had a Similar Problem at Launch

The presence of this privacy flaw makes me think Apple isn’t paying attention. Google Home had a similar flaw at launch and it took them six months to correct it. The correction involved a new feature that distinguished users by voice and only made certain information available based on a voice signature. The original issue was primarily associated with visibility into the device owner’s calendar and other account information. Apple should have seen this and ensured it wasn’t an issue for a device they launched 15 months later. It is an unforced error.

A Bigger and Avoidable User Experience Misstep

But, I want to emphasize that this is a bigger breach of personal privacy. It is one thing for people to access your calendar. Unrestricted access to read and send text messages is in a different category. Apple needs to address this quickly. HomePod has its share of detractors because beyond high quality sound the complaint is that the device cannot do very much. However, in this case, what HomePod can do may be the best reason not to purchase it today.

Pat Higbie from XAPPmedia points out that this same privacy and security flaw also exists on the iPhone. Higbie commented in a message to Voicebot:

A similar security hole exists on iPhone with Siri always on. Anyone can pick up your locked iPhone and send text messages and make phone calls on your behalf…someone could steal an iPhone and easily blackmail the owner.

In both cases, the user can protect themselves by restricting Siri access. That would seem to defeat the purpose of a voice-activated assistant and bring us back to a hands-first instead of voice-first interaction. A voice signature solution is a good way to address this issue. I’m sure we could debate whether this is a feature or a bug, but given that Apple is positioning itself in the market as leading in personal privacy, this issue stands out as off-brand.

I still believe Apple can and likely will have an important role to play in the smart speaker market. This is the type of misstep that should raise concerns about inattention to detail in user experience. That is supposed to be Apple’s strength. For now, I’d suggest HomePod owners restrict HomePod access to text messaging altogether.